本页面介绍了 v1.0 版预定义安全状况(默认、扩展)中包含的预防性政策。这种预定义的状况有助于防止默认设置导致常见的错误配置和常见安全问题。
您可以使用此预定义的安全状况来配置有助于保护 Google Cloud 资源的安全状况。如果要部署此预定义安全状况,您必须自定义一些政策,以便它们应用于您的环境。
政策 | 说明 | 合规性标准 |
---|---|---|
iam.disableServiceAccountKeyCreation |
此限制条件可防止用户为服务帐号创建永久性密钥,以降低服务帐号凭据泄露的风险。 值为 |
NIST SP 800-53 对照组:AC-2 |
iam.automaticIamGrantsForDefaultServiceAccounts |
此限制条件可防止默认服务帐号在创建时收到权限过高的 Identity and Access Management (IAM) 角色 Editor。 值为 |
NIST SP 800-53 对照组:AC-3 |
iam.disableServiceAccountKeyUpload |
此限制条件可避免服务帐号密钥中泄露和重复使用自定义密钥材料的风险。 值为 |
NIST SP 800-53 对照组:AC-6 |
storage.publicAccessPrevention |
此政策可防止 Cloud Storage 存储分区向未经身份验证的公开访问权限开放。 值为 |
NIST SP 800-53 对照组:AC-3 和 AC-6 |
iam.allowedPolicyMemberDomains |
此政策会限制 IAM 政策,仅允许所选网域中的托管用户身份访问此组织内的资源。 值为 |
NIST SP 800-53 控件:AC-3、AC-6 和 IA-2 |
essentialcontacts.allowedContactDomains |
此政策对重要联系人进行限制,仅允许所选网域中的受管理用户身份接收平台通知。 其值为 |
NIST SP 800-53 控件:AC-3、AC-6 和 IA-2 |
storage.uniformBucketLevelAccess |
此政策可防止 Cloud Storage 存储分区使用对象 ACL(与 IAM 政策分开的系统)来提供访问权限,从而强制执行访问权限管理和审核的一致性。 值为 |
NIST SP 800-53 对照组:AC-3 和 AC-6 |
compute.requireOsLogin |
这项政策要求在新创建的虚拟机上使用 OS Login,以便更轻松地管理 SSH 密钥、通过 IAM 政策提供资源级权限,以及记录用户访问权限。 值为 |
NIST SP 800-53 对照组:AC-3 和 AU-12 |
compute.disableSerialPortAccess |
此政策可防止用户访问可用于从 Compute Engine API 控制平面访问后门程序的虚拟机串行端口。 值为 |
NIST SP 800-53 对照组:AC-3 和 AC-6 |
compute.restrictXpnProjectLienRemoval |
此政策通过限制移除项目安全锁来防止意外删除共享 VPC 宿主项目。 值为 |
NIST SP 800-53 对照组:AC-3 和 AC-6 |
compute.vmExternalIpAccess |
此政策可防止创建具有公共 IP 地址的 Compute Engine 实例,此类 IP 地址可能会向传入的互联网流量和传出的互联网流量公开这些实例。 值为 |
NIST SP 800-53 对照组:AC-3 和 AC-6 |
compute.skipDefaultNetworkCreation |
此政策会禁止在每个新项目中自动创建默认 VPC 网络和默认防火墙规则,从而确保是有意创建的网络和防火墙规则。 值为 |
NIST SP 800-53 对照组:AC-3 和 AC-6 |
compute.setNewProjectDefaultToZonalDNSOnly |
此政策限制应用开发者为服务可靠性低于现代 DNS 设置的 Compute Engine 实例选择旧版 DNS 设置。 对于新项目,该值为 |
NIST SP 800-53 对照组:AC-3 和 AC-6 |
sql.restrictPublicIp |
此政策可防止创建具有公共 IP 地址的 Cloud SQL 实例,这些 IP 地址可能会向传入的互联网流量和传出的互联网流量公开此类实例。 值为 |
NIST SP 800-53 对照组:AC-3 和 AC-6 |
sql.restrictAuthorizedNetworks |
此政策可防止公共或非 RFC 1918 网络范围访问 Cloud SQL 数据库。 值为 |
NIST SP 800-53 对照组:AC-3 和 AC-6 |
compute.restrictProtocolForwardingCreationForTypes |
此政策仅允许内部 IP 地址进行虚拟机协议转发。 值为 |
NIST SP 800-53 对照组:AC-3 和 AC-6 |
compute.disableVpcExternalIpv6 |
此政策可防止创建外部 IPv6 子网,此类子网可公开给传入和传出的互联网流量。 值为 |
NIST SP 800-53 对照组:AC-3 和 AC-6 |
compute.disableNestedVirtualization |
此政策会停用嵌套虚拟化,以降低因未受监控的嵌套实例而导致的安全风险。 值为 |
NIST SP 800-53 对照组:AC-3 和 AC-6 |
YAML 定义
以下是默认设置的预定义状况的 YAML 定义。
name: organizations/123/locations/global/postureTemplates/secure_by_default
description: Posture Template to make your cloud environment more secure.
revision_id: v.1.0
state: ACTIVE
policy_sets:
- policy_set_id: Secure-By-Default policy_set
description: 18 org policies that new customers can automatically enable.
policies:
- policy_id: Disable service account key creation
compliance_standards:
- standard: NIST SP 800-53
control: AC-2
constraint:
org_policy_constraint:
canned_constraint_id: iam.disableServiceAccountKeyCreation
policy_rules:
- enforce: true
description: Prevent users from creating persistent keys for service accounts to decrease the risk of exposed service account credentials.
- policy_id: Disable Automatic IAM Grants for Default Service Accounts
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
constraint:
org_policy_constraint:
canned_constraint_id: iam.automaticIamGrantsForDefaultServiceAccounts
policy_rules:
- enforce: true
description: Prevent default service accounts from receiving the overly-permissive IAM role Editor at creation.
- policy_id: Disable Service Account Key Upload
compliance_standards:
- standard: NIST SP 800-53
control: AC-6
constraint:
org_policy_constraint:
canned_constraint_id: iam.disableServiceAccountKeyUpload
policy_rules:
- enforce: true
description: Avoid the risk of leaked and reused custom key material in service account keys.
- policy_id: Enforce Public Access Prevention
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-6
constraint:
org_policy_constraint:
canned_constraint_id: storage.publicAccessPrevention
policy_rules:
- enforce: true
description: Enforce that Storage Buckets cannot be configured as open to unauthenticated public access.
- policy_id: Domain restricted sharing
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-6
- standard: NIST SP 800-53
control: IA-2
constraint:
org_policy_constraint:
canned_constraint_id: iam.allowedPolicyMemberDomains
policy_rules:
- values:
allowed_values:
- directoryCustomerId
description: Limit IAM policies to only allow managed user identities in my selected domain(s) to access resources inside this organization.
- policy_id: Domain restricted contacts
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-6
- standard: NIST SP 800-53
control: IA-2
constraint:
org_policy_constraint:
canned_constraint_id: essentialcontacts.allowedContactDomains
policy_rules:
- values:
allowed_values:
- "@google.com"
description: Limit Essential Contacts to only allow managed user identities in my selected domain(s) to receive platform notifications.
- policy_id: Enforce uniform bucket-level access
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-6
constraint:
org_policy_constraint:
canned_constraint_id: storage.uniformBucketLevelAccess
policy_rules:
- enforce: true
description: Prevent GCS buckets from using per-object ACL (a separate system from IAM policies) to provide access, enforcing a consistency for access management and auditing.
- policy_id: Require OS Login
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AU-12
constraint:
org_policy_constraint:
canned_constraint_id: compute.requireOsLogin
policy_rules:
- enforce: true
description: Require OS Login on newly created VMs to more easily manage SSH keys, provide resource-level permission with IAM policies, and log user access.
- policy_id: Disable VM serial port access
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-6
constraint:
org_policy_constraint:
canned_constraint_id: compute.disableSerialPortAccess
policy_rules:
- enforce: true
description: Prevent users from accessing the VM serial port which can be used for backdoor access from the Compute Engine API control plane
- policy_id: Restrict shared VPC project lien removal
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-6
constraint:
org_policy_constraint:
canned_constraint_id: compute.restrictXpnProjectLienRemoval
policy_rules:
- enforce: true
description: Prevent the accidental deletion of Shared VPC host projects by restricting the removal of project liens.
- policy_id: Define allowed external IPs for VM instances
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-6
constraint:
org_policy_constraint:
canned_constraint_id: compute.vmExternalIpAccess
policy_rules:
- deny_all: true
description: Prevent the creation of Compute instances with a public IP, which can expose them to internet ingress and egress.
- policy_id: Skip default network creation
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-6
constraint:
org_policy_constraint:
canned_constraint_id: compute.skipDefaultNetworkCreation
policy_rules:
- enforce: true
description: Disable the automatic creation of a default VPC network and default firewall rules in each new project, ensuring that my network and firewall rules are intentionally created.
- policy_id: Sets the internal DNS setting for new projects to Zonal DNS Only
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-6
constraint:
org_policy_constraint:
canned_constraint_id: compute.setNewProjectDefaultToZonalDNSOnly
policy_rules:
- enforce: true
description: Set guardrails that application developers cannot choose legacy DNS settings for compute instances that have lower service reliability than modern DNS settings.
- policy_id: Restrict Public IP access on Cloud SQL instances
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-6
constraint:
org_policy_constraint:
canned_constraint_id: sql.restrictPublicIp
policy_rules:
- enforce: true
description: Prevent the creation of Cloud SQL instances with a public IP, which can expose them to internet ingress and egress.
- policy_id: Restrict Authorized Networks on Cloud SQL instances
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-6
constraint:
org_policy_constraint:
canned_constraint_id: sql.restrictAuthorizedNetworks
policy_rules:
- enforce: true
description: Prevent public or non-RFC 1918 network ranges from accessing my Cloud SQL databases.
- policy_id: Restrict Protocol Forwarding Based on type of IP Address
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-6
constraint:
org_policy_constraint:
canned_constraint_id: compute.restrictProtocolForwardingCreationForTypes
policy_rules:
- values:
allowed_values:
- INTERNAL
description: Allow VM protocol forwarding for internal IP addresses only.
- policy_id: Disable VPC External IPv6 usage
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-6
constraint:
org_policy_constraint:
canned_constraint_id: compute.disableVpcExternalIpv6
policy_rules:
- enforce: true
description: Prevent the creation of external IPv6 subnets, which can be exposed to internet ingress and egress.
- policy_id: Disable VM nested virtualization
compliance_standards:
- standard: NIST SP 800-53
control: AC-3
- standard: NIST SP 800-53
control: AC-6
constraint:
org_policy_constraint:
canned_constraint_id: compute.disableNestedVirtualization
policy_rules:
- enforce: true
description: Disable nested virtualization to decrease my security risk due to unmonitored nested instances.